topic FTP/SSL fails at server in Operating System - OpenVMS

FTP/SSL fails at server

ranger57 — Mon, 30 Apr 2012 18:43:12 GMT

Hello.

We have been having problems establishing an FTP session over SSL from our OpenVMS client to a Linux server.

We are running v8.3-1h1 of VMS, TCPIP services v5.7 ECO 3 and SSL v1.4.

The Linux ftp server is in our DMZ and not behind a firewall.

These are the errors we see from the Linux server:

PINACO>ftp/ssl sftp.xxxxxx.org
220-Welcome to Pure-FTPd.
220-You are user number 1 of 15 allowed.
220-This is a private system - No anonymous login
220 You will be disconnected after 15 minutes of inactivity.
Connected to crpvlx2sftp1.xxxxxxx.org.
234 AUTH TLS OK.
200 PBSZ=0
200 Data protection level set to "private"
Name (crpvlx2sftp1.xxxxxx.org:sysjames): smithj
331 User smithj OK. Password required
Password:
230-User smithj has group access to: sftp-lum-g
230-OK. Current restricted directory is /
230-8888 88 88 88 8888888888
230-88888 88 888 888 8888 8888
230-88 888 88 888 888 888
230-88 888 88 888888 88
230-88 888 88 8888 88
230-88 888 88 88 888
230-88 88888 88 888 8888
230-88 8888 88 88888888
230-
230-
230-88 88 88 88 8888888888
230-88 88 88 88 8888 8888
230-88 88 88 88 888
230-88888888 88888888 88
230-88888888 88888888 88
230-88 88 88 88 888
230-88 88 88 88 888 8888
230-88 88 88 88 88888888
230
FTP>
FTP> debug
Debugging on (debug=1).
FTP>
FTP>
FTP> pwd
---> PWD
257 "/" is your current location
FTP>
FTP> cd officemax
---> CWD officemax
250 OK. Current directory is /OfficeMax
FTP>
FTP> pwd
---> PWD
257 "/OfficeMax" is your current location
FTP>
FTP> ls -l
---> PORT 172,23,160,23,193,65
200 PORT command successful
---> NLST -l
425 Could not open data connection to port 49473: Connection timed out
%TCPIP-E-FTP_NOSUCHFILE, no such file -l
FTP>
FTP> dir
---> PORT 172,23,160,23,193,66
200 PORT command successful
---> LIST
425 Could not open data connection to port 49474: Connection timed out
%TCPIP-E-FTP_NOSUCHFILE, no such file (* or directory)
FTP>
FTP> pwd
---> PWD
257 "/OfficeMax" is your current location
FTP>
FTP> get testfile.txt
---> PORT 172,23,160,23,193,67
200 PORT command successful
---> RETR testfile.txt
425 Could not open data connection to port 49475: Connection timed out
FTP>
FTP>
FTP> ls -a testfile.txt
---> PORT 172,23,160,23,193,68
200 PORT command successful
---> NLST -a
425 Could not open data connection to port 49476: Connection timed out
%TCPIP-E-FTP_NOSUCHFILE, no such file -a
FTP>
FTP>
FTP> ls - a
---> PORT 172,23,160,23,193,69
200 PORT command successful
---> NLST -
425 Could not open data connection to port 49477: Connection timed out
%TCPIP-E-FTP_NOSUCHFILE, no such file -
FTP>

So, as you can see we can log in to the Linux server successfully and can also do commands like pwd. Any other command, however, fails. Any ideas?

thanks in advance.

Re: FTP/SSL fails at server

Richard Brodie_1 — Mon, 30 Apr 2012 19:19:19 GMT

It appears to be a problem with the data channel somewhere; which often is a firewall problem.

How about trying "passive" after you log on?

Re: FTP/SSL fails at server

ranger57 — Mon, 30 Apr 2012 19:39:12 GMT

By "passive" I'll assume you mean 'pasv'? I'll try that, thank you.

Re: FTP/SSL fails at server

Steven Schweda — Mon, 30 Apr 2012 20:35:51 GMT

Re: FTP/SSL fails at server

The Brit — Tue, 01 May 2012 12:51:00 GMT

I dont know the answer to your problem, however I have seen something similar when I was trying to set up IPclustering (TCPIP V5.7, ECO 3, with OpenVMS 8.4, SSL 1.4). I found that I could login via FTP(without "/SSL"), to the other cluster node, however I couldn't see any files, and I got the same error indicating a problem establishing the "data" channel.. This issue was never resolved. I assumed it was something to do with my choice of clustering IP's.

At that point it went onto the back burner, for later resolution. (Other issues to deal with)

Dont know if this is of any use to you. But I would be interested in any resolution you find.

Dave.

Re: FTP/SSL fails at server

Hoff — Tue, 01 May 2012 13:21:43 GMT

Before being allowed to use FTP (and enforced by a typical modern network design), consider that the network administrator must be able to provide answers to the following questions.

1: is it permissible to post the server login credentals for all to access?

2: do you need user accountability?

3: does the client or does the server originate the data channel connection when in passive mode?

4: which IP port(s) are used by FTP on your client, and on your server?

If you can answer all of these correctly, then you have a start at understanding why ftp is a problem here.

sftp is vastly easier to deal with in modern networks, assuming a version that doesn't have those sequential-file corruption bugs is available to you.

Answer Key:

1: ftp transmits login user and password in cleartext. tools are widly available to monitor for these credentials

2: if you do, you'll want to use sftp, as access to ftp credentials is insecure.

3: from server to client, meaning any managed switched and any firewalls between the server and the client must expect an incoming ftp connection. (active-mode transfers requires a second connection from client to server, which means the server firewall needs a range of ports open, or the device needs to understand the ftp protocol and automatically open the approprate port.)

4: "the ephemeral port range", AIX and HP-UX use 32768 through 65535, OpenVMS and OS X and OS X Server use 49152 to 65535, and other implementations may vary. You'll need to keep this port range accessible on managed switches and firewalls on whichever end receives the (active or passive) data connection.